
Summary
This detection rule identifies the registration of new time providers for the Windows Time service (W32Time) using an uncommon DLL name in the registry. By monitoring changes under the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider, the rule can effectively detect potential malicious activity where adversaries might exploit this feature to execute unauthorized DLLs during system boot-up. Given that W32Time is responsible for time synchronization in Windows environments, changes to its configuration can indicate attempts at persistence or privilege escalation. The rule selects events that involve modifications to the 'DllName' subkey, filtering out known legitimate DLLs to minimize false positives. As a result, it focuses on new or uncommon DLLs that could signify exploitation attempts. This rule's classification as experimental indicates ongoing evaluation and potential fine-tuning to enhance its accuracy and effectiveness in detecting such threats.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
ATT&CK Techniques
- T1547.003
Created: 2022-06-19